What is an OAuth application? - Resource Access Management

You can use the Open Authorization (OAuth) 2.0 protocol together with Alibaba Cloud Resource Access Management (RAM) to authenticate users and authorize applications to access specific Alibaba Cloud resources. This topic introduces the basic terms of OAuth 2.0 and describes the common scenarios and scopes of OAuth 2.0.

Terms

Term	Description
user	A user must log on to Alibaba Cloud before the user can authorize an application to access specific Alibaba Cloud resources. The user can be the owner of an Alibaba Cloud account or a RAM user. Note OAuth applications that were created before September 10, 2024 do not support RAM roles. If you want to use RAM roles, submit a ticket.
Alibaba Cloud OAuth 2.0 service	A service that is used to authenticate users and generate tokens for applications to access specific Alibaba Cloud resources on behalf of users.
OAuth application	An application that can access Alibaba Cloud resources after being authorized by a user and obtaining tokens of the user. The OAuth 2.0 service supports the following types of applications: WebApp: a web application. NativeApp: a native application that runs on an operating system, such as a desktop operating system or a mobile operating system. ServerApp: an application that can access Alibaba Cloud services without the need for manual user logon. User synchronization based on the System for Cross-Domain Identity Management (SCIM) protocol is supported. Applications can be classified into the following types based on their ownership: Enterprise applications: applications that you develop and use OAuth 2.0 to obtain Alibaba Cloud identities of users. Third-party applications: applications that you authorize others to develop to obtain your Alibaba Cloud identity.
OAuth scope	The scope within which an application is allowed to access Alibaba Cloud resources on behalf of a user. The following scopes are supported: openid: obtains the OpenID of the user. This is the default scope and cannot be deleted. Note The obtained OpenID is a string that uniquely identifies a user. However, the OpenID does not contain information such as the Alibaba Cloud UID and username of the user. If you want to obtain the information, you must add the aliuid and profile scopes. aliuid: obtains the Alibaba Cloud UID of the user. profile: obtains the profile such as the username of the user. /acs/ccc: calls Alibaba Cloud Call Center API. /acs/alidns: calls Alibaba Cloud DNS API. /acs/scim: accesses Cross-Domain Identity Management. /acs/digitalstore: accesses Digital Store. /acs/scsp: accesses Smart Customer Service Platform. /acs/cloudgame: accesses Cloud Gaming Platform. /acs/aiccs: accesses Artificial Intelligence Cloud Call Service. /acs/cloudesl: calls Alibaba Cloud CloudESL API. /acs/alimt: accesses Machine Translation.
token	The token that is issued by OAuth 2.0 to an application. ID token: This type of token contains only user identity information and cannot be used to access Alibaba Cloud resources. Access token: This type of token contains user identity information and the OAuth scopes of an application. This type of token can be used to access Alibaba Cloud resources within the specified OAuth scopes. Refresh token: This type of token can be used to obtain new access tokens.
Alibaba Cloud API	The API that an application can call to access Alibaba Cloud resources.

Scenarios

OAuth scopes

Alibaba Cloud RAM provides three OAuth scopes: openid, aliuid, and profile. If different scopes are added, you can obtain different information. The following table describes the information.

Parameter	Description	Example	Required OAuth scope
exp	The timestamp when the token expires.	1517539523	openid
sub	A unique string that identifies the user. The string does not contain the UID and username of the user. Note If the user assumes a RAM role, the value of the sub parameter is generated based on `<RoleId:RoleSessionName>`. The value is unique and generated for each user.	123456789012****	openid
aud	The receiver of the token, which is the ID of the OAuth application.	4567890123456****	openid
iss	The issuer of the token. Valid value: `https://oauth.aliyun.com`.	https://oauth.aliyun.com	openid
iat	The timestamp when the token was issued.	1517533200	openid
aid	The ID of the Alibaba Cloud account to which the user belongs.	177242285274****	aliuid
uid	The ID of the user. Valid values: If an Alibaba Cloud account is used, the value is the same as the value of the aid parameter. If a RAM user is used, the value is the ID of the RAM user. If a RAM role is used, the value is the ID of the RAM role.	20124982101502****	aliuid
type	The type of the user. Valid values: account: an Alibaba Cloud account. user: a RAM user. role: a RAM role.	user	profile
login_name	The logon name of the Alibaba Cloud account. Note This parameter is returned only if an Alibaba Cloud account initiates the request.	Alice	profile
upn	The logon name of the RAM user. Note This parameter is returned only if a RAM user initiates the request.	Bob@examplecompany.onaliyun.com	profile
name	The name of the user. Valid values: If a RAM user is used, the value is the display name of the RAM user. If a RAM role is used, the value is in the `<RoleName:RoleSessionName>` format. Note This parameter is returned only if a RAM user or a RAM role initiates the request.	Bob	profile